auxolotl/buildbot-nix
26
1
Fork 0
Code Issues Pull requests 1 Actions 1 Packages Projects Releases Wiki Activity

expose cachix options explictly

Browse source
This commit is contained in:
Jörg Thalheim 2023-12-23 19:54:42 +01:00 committed by mergify[bot]
parent 00f4ee3adf
commit f56e43267d
3 changed files with 71 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
buildbot_nix/__init__.py
View file

@ -417,11 +417,25 @@ def nix_eval_config(
) )
@dataclass
class CachixConfig:
name: str
signing_key_secret_name: str | None = None
auth_token_secret_name: str | None = None
def cachix_env(self) -> dict[str, str]:
env = {}
if self.signing_key_secret_name is not None:
env["CACHIX_SIGNING_KEY"] = util.Secret(self.signing_key_secret_name)
if self.auth_token_secret_name is not None:
env["CACHIX_AUTH_TOKEN"] = util.Secret(self.auth_token_secret_name)
return env
def nix_build_config( def nix_build_config(
project: GithubProject, project: GithubProject,
worker_names: list[str], worker_names: list[str],
has_cachix_auth_token: bool = False, cachix: CachixConfig | None = None,
has_cachix_signing_key: bool = False,
outputs_path: Path | None = None, outputs_path: Path | None = None,
) -> util.BuilderConfig: ) -> util.BuilderConfig:
""" """
@ -454,19 +468,15 @@ def nix_build_config(
haltOnFailure=True, haltOnFailure=True,
) )
) )
if has_cachix_auth_token or has_cachix_signing_key: if cachix:
if has_cachix_signing_key:
env = dict(CACHIX_SIGNING_KEY=util.Secret("cachix-signing-key"))
else:
env = dict(CACHIX_AUTH_TOKEN=util.Secret("cachix-auth-token"))
factory.addStep( factory.addStep(
steps.ShellCommand( steps.ShellCommand(
name="Upload cachix", name="Upload cachix",
env=env, env=cachix.cachix_env(),
command=[ command=[
"cachix", "cachix",
"push", "push",
util.Secret("cachix-name"), cachix.name,
util.Interpolate("result-%(prop:attr)s"), util.Interpolate("result-%(prop:attr)s"),
], ],
) )
@ -572,13 +582,13 @@ class GithubConfig:
def config_for_project( def config_for_project(
config: dict[str, Any], config: dict[str, Any],
project: GithubProject, project: GithubProject,
credentials: str,
worker_names: list[str], worker_names: list[str],
github: GithubConfig, github: GithubConfig,
nix_supported_systems: list[str], nix_supported_systems: list[str],
nix_eval_worker_count: int, nix_eval_worker_count: int,
nix_eval_max_memory_size: int, nix_eval_max_memory_size: int,
eval_lock: util.WorkerLock, eval_lock: util.WorkerLock,
cachix: CachixConfig | None = None,
outputs_path: Path | None = None, outputs_path: Path | None = None,
) -> Project: ) -> Project:
config["projects"].append(Project(project.name)) config["projects"].append(Project(project.name))
@ -635,12 +645,6 @@ def config_for_project(
), ),
] ]
) )
has_cachix_auth_token = os.path.isfile(
os.path.join(credentials, "cachix-auth-token")
)
has_cachix_signing_key = os.path.isfile(
os.path.join(credentials, "cachix-signing-key")
)
config["builders"].extend( config["builders"].extend(
[ [
# Since all workers run on the same machine, we only assign one of them to do the evaluation. # Since all workers run on the same machine, we only assign one of them to do the evaluation.
@ -657,8 +661,7 @@ def config_for_project(
nix_build_config( nix_build_config(
project, project,
worker_names, worker_names,
has_cachix_auth_token, cachix=cachix,
has_cachix_signing_key,
outputs_path=outputs_path, outputs_path=outputs_path,
), ),
nix_skipped_build_config(project, [SKIPPED_BUILDER_NAME]), nix_skipped_build_config(project, [SKIPPED_BUILDER_NAME]),
@ -756,6 +759,7 @@ class NixConfigurator(ConfiguratorBase):
nix_eval_worker_count: int | None, nix_eval_worker_count: int | None,
nix_eval_max_memory_size: int, nix_eval_max_memory_size: int,
nix_workers_secret_name: str = "buildbot-nix-workers", nix_workers_secret_name: str = "buildbot-nix-workers",
cachix: CachixConfig | None = None,
outputs_path: str | None = None, outputs_path: str | None = None,
) -> None: ) -> None:
super().__init__() super().__init__()
@ -765,7 +769,7 @@ class NixConfigurator(ConfiguratorBase):
self.nix_supported_systems = nix_supported_systems self.nix_supported_systems = nix_supported_systems
self.github = github self.github = github
self.url = url self.url = url
self.systemd_credentials_dir = os.environ["CREDENTIALS_DIRECTORY"] self.cachix = cachix
if outputs_path is None: if outputs_path is None:
self.outputs_path = None self.outputs_path = None
else: else:
@ -803,13 +807,13 @@ class NixConfigurator(ConfiguratorBase):
config_for_project( config_for_project(
config, config,
project, project,
self.systemd_credentials_dir,
worker_names, worker_names,
self.github, self.github,
self.nix_supported_systems, self.nix_supported_systems,
self.nix_eval_worker_count or multiprocessing.cpu_count(), self.nix_eval_worker_count or multiprocessing.cpu_count(),
self.nix_eval_max_memory_size, self.nix_eval_max_memory_size,
eval_lock, eval_lock,
self.cachix,
self.outputs_path, self.outputs_path,
) )

10
examples/default.nix
View file

@ -36,12 +36,20 @@ in
user = "mic92-buildbot"; user = "mic92-buildbot";
admins = [ "Mic92" ]; admins = [ "Mic92" ];
}; };
# optional # optional expose latest store path as text file
# outputsPath = "/var/www/buildbot/nix-outputs"; # outputsPath = "/var/www/buildbot/nix-outputs";
# optional nix-eval-jobs settings # optional nix-eval-jobs settings
# evalWorkerCount = 8; # limit number of concurrent evaluations # evalWorkerCount = 8; # limit number of concurrent evaluations
# evalMaxMemorySize = "2048"; # limit memory usage per evaluation # evalMaxMemorySize = "2048"; # limit memory usage per evaluation
# optional cachix
#cachix = {
# name = "my-cachix";
# # One of the following is required:
# signingKey = "/var/lib/secrets/cachix-key";
# authToken = "/var/lib/secrets/cachix-token";
#};
}; };
}) })
buildbot-nix.nixosModules.buildbot-master buildbot-nix.nixosModules.buildbot-master

41
nix/master.nix
View file

@ -15,6 +15,25 @@ in
default = "postgresql://@/buildbot"; default = "postgresql://@/buildbot";
description = "Postgresql database url"; description = "Postgresql database url";
}; };
cachix = {
name = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Cachix name";
};
signingKeyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = "Cachix signing key";
};
authTokenFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Cachix auth token";
};
};
github = { github = {
tokenFile = lib.mkOption { tokenFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
@ -107,6 +126,13 @@ in
isSystemUser = true; isSystemUser = true;
}; };
assertions = [
{
assertion = cfg.cachix.name != null -> cfg.cachix.signingKeyFile != null || cfg.cachix.authTokenFile != null;
message = "if cachix.name is provided, then cachix.signingKeyFile and cachix.authTokenFile must be set";
}
];
services.buildbot-master = { services.buildbot-master = {
enable = true; enable = true;
@ -118,7 +144,7 @@ in
home = "/var/lib/buildbot"; home = "/var/lib/buildbot";
extraImports = '' extraImports = ''
from datetime import timedelta from datetime import timedelta
from buildbot_nix import GithubConfig, NixConfigurator from buildbot_nix import GithubConfig, NixConfigurator, CachixConfig
''; '';
configurators = [ configurators = [
'' ''
@ -132,9 +158,14 @@ in
buildbot_user=${builtins.toJSON cfg.github.user}, buildbot_user=${builtins.toJSON cfg.github.user},
topic=${builtins.toJSON cfg.github.topic}, topic=${builtins.toJSON cfg.github.topic},
), ),
cachix=${if cfg.cachix.name == null then "None" else "CachixConfig(
name=${builtins.toJSON cfg.cachix.name},
signing_key_secret_name=${if cfg.cachix.signingKeyFile != null then builtins.toJSON "cachix-signing-key" else "None"},
auth_token_secret_name=${if cfg.cachix.authTokenFile != null then builtins.toJSON "cachix-auth-token" else "None"},
"}),
url=${builtins.toJSON config.services.buildbot-master.buildbotUrl}, url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize}, nix_eval_max_memory_size=${builtins.toJSON cfg.evalMaxMemorySize},
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toJSON cfg.evalWorkerCount}, nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
nix_supported_systems=${builtins.toJSON cfg.buildSystems}, nix_supported_systems=${builtins.toJSON cfg.buildSystems},
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath}, outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
) )
@ -166,7 +197,11 @@ in
"github-webhook-secret:${cfg.github.webhookSecretFile}" "github-webhook-secret:${cfg.github.webhookSecretFile}"
"github-oauth-secret:${cfg.github.oauthSecretFile}" "github-oauth-secret:${cfg.github.oauthSecretFile}"
"buildbot-nix-workers:${cfg.workersFile}" "buildbot-nix-workers:${cfg.workersFile}"
]; ]
++ lib.optional (cfg.cachix.signingKeyFile != null)
"cachix-signing-key:${builtins.toString cfg.cachix.signingKeyFile}"
++ lib.optional (cfg.cachix.authTokenFile != null)
"cachix-auth-token:${builtins.toString cfg.cachix.authTokenFile}";
}; };
}; };